Vulnerabilites related to omron - plc_cs_firmware
Vulnerability from fkie_nvd
Published
2019-12-16 20:15
Modified
2024-11-21 04:32
Severity ?
Summary
Omron’s CS and CJ series PLCs have an unrestricted externally accessible lock vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.omron-cxone.com/security/2019-12-06_PLC_EN.pdf | ||
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsa-19-346-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.omron-cxone.com/security/2019-12-06_PLC_EN.pdf | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-19-346-02 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| omron | plc_cj_firmware | * | |
| omron | plc_cs_firmware | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:plc_cj_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AF2C347-B4A7-4505-98A4-AFDCB1FCD386",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:omron:plc_cs_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF9CD76C-F6E9-4E01-A039-4049B706DD92",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nOmron\u2019s CS and CJ series PLCs have an unrestricted externally accessible lock vulnerability. \n\n"
},
{
"lang": "es",
"value": "En el Omron PLC CJ series, todas las versiones, y en el Omron PLC CS series, todas las versiones, el software comprueba apropiadamente la existencia de un bloqueo, pero el bloqueo puede ser controlado externamente o influenciado por un actor que se encuentra fuera de la esfera de control prevista."
}
],
"id": "CVE-2019-18269",
"lastModified": "2024-11-21T04:32:56.703",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-16T20:15:15.773",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"url": "https://www.omron-cxone.com/security/2019-12-06_PLC_EN.pdf"
},
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.omron-cxone.com/security/2019-12-06_PLC_EN.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-412"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-16 20:15
Modified
2024-11-21 04:32
Severity ?
Summary
In Omron PLC CJ series, all versions and Omron PLC CS series, all versions, an attacker could spoof arbitrary messages or execute commands.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsa-19-346-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-19-346-02 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| omron | plc_cj_firmware | * | |
| omron | plc_cs_firmware | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:plc_cj_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AF2C347-B4A7-4505-98A4-AFDCB1FCD386",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:omron:plc_cs_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF9CD76C-F6E9-4E01-A039-4049B706DD92",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Omron PLC CJ series, all versions and Omron PLC CS series, all versions, an attacker could spoof arbitrary messages or execute commands."
},
{
"lang": "es",
"value": "En el Omron PLC CJ series, todas las versiones y Omron PLC CS series, todas las versiones, un atacante podr\u00eda falsificar mensajes arbitrarios o ejecutar comandos."
}
],
"id": "CVE-2019-18259",
"lastModified": "2024-11-21T04:32:56.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-16T20:15:15.633",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-16 20:15
Modified
2024-11-21 04:25
Severity ?
Summary
In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening and closing of industrial valves.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsa-19-346-02 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-19-346-02 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| omron | plc_cj_firmware | * | |
| omron | plc_cs_firmware | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:plc_cj_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AF2C347-B4A7-4505-98A4-AFDCB1FCD386",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:omron:plc_cs_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF9CD76C-F6E9-4E01-A039-4049B706DD92",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening and closing of industrial valves."
},
{
"lang": "es",
"value": "En el Omron PLC CJ series, todas las versiones, y el Omron PLC CS series, todas las versiones, un atacante podr\u00eda monitorear el tr\u00e1fico entre el PLC y el controlador y reproducir las peticiones que podr\u00edan resultar en la apertura y cierre de v\u00e1lvulas industriales."
}
],
"id": "CVE-2019-13533",
"lastModified": "2024-11-21T04:25:05.593",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.3,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-16T20:15:14.743",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-294"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-294"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-12-16 20:15
Modified
2024-11-21 04:32
Severity ?
Summary
In Omron PLC CS series, all versions, Omron PLC CJ series, all versions, and Omron PLC NJ series, all versions, the software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| ics-cert@hq.dhs.gov | https://www.us-cert.gov/ics/advisories/icsa-19-346-03 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.us-cert.gov/ics/advisories/icsa-19-346-03 | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| omron | plc_cj_firmware | * | |
| omron | plc_cs_firmware | * | |
| omron | plc_nj_firmware | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:omron:plc_cj_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AF2C347-B4A7-4505-98A4-AFDCB1FCD386",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:omron:plc_cs_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF9CD76C-F6E9-4E01-A039-4049B706DD92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:omron:plc_nj_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA0D87D7-A7AF-45DE-90EE-67103BA00A6B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Omron PLC CS series, all versions, Omron PLC CJ series, all versions, and Omron PLC NJ series, all versions, the software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks."
},
{
"lang": "es",
"value": "En el Omron PLC CS series, todas las versiones, el Omron PLC CJ series, todas las versiones y el Omron PLC NJ series, todas las versiones, el software no implementa medidas suficientes para impedir m\u00faltiples intentos de autenticaci\u00f3n fallidos dentro un per\u00edodo de tiempo corto, haci\u00e9ndola m\u00e1s susceptible a los ataques de fuerza bruta."
}
],
"id": "CVE-2019-18261",
"lastModified": "2024-11-21T04:32:56.237",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-16T20:15:15.697",
"references": [
{
"source": "ics-cert@hq.dhs.gov",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-03"
}
],
"sourceIdentifier": "ics-cert@hq.dhs.gov",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "ics-cert@hq.dhs.gov",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2019-13533 (GCVE-0-2019-13533)
Vulnerability from cvelistv5
Published
2019-12-16 19:25
Modified
2024-08-04 23:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-294 - AUTHENTICATION BYPASS BY CAPTURE-REPLAY
Summary
In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening and closing of industrial valves.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Omron PLC CJ and CS Series |
Version: Omron PLC CJ series, all versions, Omron PLC CS series, all versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:57:39.436Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Omron PLC CJ and CS Series",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Omron PLC CJ series, all versions, Omron PLC CS series, all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening and closing of industrial valves."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-16T19:25:00",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-13533",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Omron PLC CJ and CS Series",
"version": {
"version_data": [
{
"version_value": "Omron PLC CJ series, all versions, Omron PLC CS series, all versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, an attacker could monitor traffic between the PLC and the controller and replay requests that could result in the opening and closing of industrial valves."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-13533",
"datePublished": "2019-12-16T19:25:00",
"dateReserved": "2019-07-11T00:00:00",
"dateUpdated": "2024-08-04T23:57:39.436Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18269 (GCVE-0-2019-18269)
Vulnerability from cvelistv5
Published
2019-12-16 19:21
Modified
2024-08-05 01:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-412 - Unrestricted Externally Accessible Lock
Summary
Omron’s CS and CJ series PLCs have an unrestricted externally accessible lock vulnerability.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Omron | Omron PLC CJ Series |
Version: all versions |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.omron-cxone.com/security/2019-12-06_PLC_EN.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Omron PLC CJ Series",
"vendor": "Omron",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omron PLC CS series",
"vendor": "Omron",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Omron PLC NX1P2 series",
"vendor": "Omron",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jipeng You (XDU) and n0b0dy reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOmron\u2019s CS and CJ series PLCs have an unrestricted externally accessible lock vulnerability. \u003c/span\u003e\n\n"
}
],
"value": "\nOmron\u2019s CS and CJ series PLCs have an unrestricted externally accessible lock vulnerability. \n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-412",
"description": "CWE-412 Unrestricted Externally Accessible Lock",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-27T22:40:45.810Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
},
{
"url": "https://www.omron-cxone.com/security/2019-12-06_PLC_EN.pdf"
}
],
"source": {
"discovery": "EXTERNAL"
},
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cp\u003eOmron recommends the following mitigation measures:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFilter FINS port: Protect access to Omron\u2019s PLC with a firewall and blocking unnecessary remote access to FINS port (default: 9600).\u003c/li\u003e\u003cli\u003eFilter IP addresses: Protect access to Omron\u2019s PLC with a firewall and filtering devices connected to the PLC by IP address.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eFor more information provided by Omron on these vulnerabilities refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.omron-cxone.com%2Fsecurity%2F2019-12-06_PLC_EN.pdf\u0026amp;data=02%7C01%7Ckent.norris%40inl.gov%7C20bf150382654ea6bed508d77a33e9d1%7C4cf464b7869a42368da2a98566485554%7C0%7C1%7C637112235716101466\u0026amp;sdata=HF291pOMe65LwSvq4DynQqT%2FX7Sw%2BT92JGwRsXmC7WU%3D\u0026amp;reserved=0\"\u003eVulnerabilities in Omron CS and CJ series CPU PLCs\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nOmron recommends the following mitigation measures:\n\n * Filter FINS port: Protect access to Omron\u2019s PLC with a firewall and blocking unnecessary remote access to FINS port (default: 9600).\n * Filter IP addresses: Protect access to Omron\u2019s PLC with a firewall and filtering devices connected to the PLC by IP address.\n\n\nFor more information provided by Omron on these vulnerabilities refer to Vulnerabilities in Omron CS and CJ series CPU PLCs https://gcc01.safelinks.protection.outlook.com/ .\n\n\n\n\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18269",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Omron PLC CJ and CS Series",
"version": {
"version_data": [
{
"version_value": "Omron PLC CJ series, all versions, Omron PLC CS series, all versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Omron PLC CJ series, all versions, and Omron PLC CS series, all versions, the software properly checks for the existence of a lock, but the lock can be externally controlled or influenced by an actor that is outside of the intended sphere of control."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "UNRESTRICTED EXTERNALLY ACCESSIBLE LOCK CWE-412"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18269",
"datePublished": "2019-12-16T19:21:31",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18259 (GCVE-0-2019-18259)
Vulnerability from cvelistv5
Published
2019-12-16 19:19
Modified
2024-08-05 01:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-290 - AUTHENTICATION BYPASS BY SPOOFING
Summary
In Omron PLC CJ series, all versions and Omron PLC CS series, all versions, an attacker could spoof arbitrary messages or execute commands.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Omron PLC CJ and CS Series |
Version: Omron PLC CJ series, all versions, Omron PLC CS series, all versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.082Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Omron PLC CJ and CS Series",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Omron PLC CJ series, all versions, Omron PLC CS series, all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Omron PLC CJ series, all versions and Omron PLC CS series, all versions, an attacker could spoof arbitrary messages or execute commands."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "AUTHENTICATION BYPASS BY SPOOFING CWE-290",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-16T19:19:04",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18259",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Omron PLC CJ and CS Series",
"version": {
"version_data": [
{
"version_value": "Omron PLC CJ series, all versions, Omron PLC CS series, all versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Omron PLC CJ series, all versions and Omron PLC CS series, all versions, an attacker could spoof arbitrary messages or execute commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "AUTHENTICATION BYPASS BY SPOOFING CWE-290"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18259",
"datePublished": "2019-12-16T19:19:04",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.082Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-18261 (GCVE-0-2019-18261)
Vulnerability from cvelistv5
Published
2019-12-16 19:27
Modified
2024-08-05 01:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-307 - IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS
Summary
In Omron PLC CS series, all versions, Omron PLC CJ series, all versions, and Omron PLC NJ series, all versions, the software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Omron PLC CJ, CS and NJ Series |
Version: Omron PLC CS series, all versions, Omron PLC CJ series, all versions, Omron PLC NJ series, all versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:47:14.092Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-03"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Omron PLC CJ, CS and NJ Series",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Omron PLC CS series, all versions, Omron PLC CJ series, all versions, Omron PLC NJ series, all versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Omron PLC CS series, all versions, Omron PLC CJ series, all versions, and Omron PLC NJ series, all versions, the software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-16T19:27:58",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-03"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2019-18261",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Omron PLC CJ, CS and NJ Series",
"version": {
"version_data": [
{
"version_value": "Omron PLC CS series, all versions, Omron PLC CJ series, all versions, Omron PLC NJ series, all versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Omron PLC CS series, all versions, Omron PLC CJ series, all versions, and Omron PLC NJ series, all versions, the software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-19-346-03",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-346-03"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2019-18261",
"datePublished": "2019-12-16T19:27:58",
"dateReserved": "2019-10-22T00:00:00",
"dateUpdated": "2024-08-05T01:47:14.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}